What is your configuration? GLiNet is your main router cabled on your ISP modem or natted on your main ISP router?
Internet > cable modem > TP Deco (192.168.68.0)
The Brume is wired to the main Deco; LAN is 192.168.8.0
The cable modem has port 25 open. The Deco forwards port 25 on its cable modem interface to the Brume on port 5001.
So clients have no problem connecting over VPN and reaching hosts on the TP Deco LAN 192.168.68.0. However, they are unable to reach hosts on the Brume LAN 192.168.8.0
Allowed ips of yours clients?
Have you configured wg server by GL.iNet gui or luci?
Firmware version?
Firmware is 3.105 as downloaded from the GL site. I noticed that they use a release candidate version 19.07 of OpenWRT rather than a production version (currently 19.07.5).
I configured WG via the GL GUI. This is how I got to where I am- clients can ping hosts on the WAN interface, but not on the LAN.
I spent days trying to make this work via SSH and Luci to no avail. None of the published CLI scripts produce a working configuration and, likewise, using Luci. The only difference between CLI and Luci is that when using Luci I can create a valid QR code that produces a valid configuration that makes sense. However, I cannot connect at all to the VPN server when using the Luci configured wireguard.
Right or wrong, I am reaching the conclusion that the GL firmware somehow messes up OpenWRT and, as a consequence, Wireguard.
I just realized that the Windows 10 firewall does not allow ping so my hosts on the Brume’s LAN simply do not respond to the pings! I connected a different type of device to the LAN interface and now VPN clients can ping the Brume LAN host.
First problem solved, moving on to the second problem:
I added the following option to access hosts on the client LAN:
list subnet ‘192.168.xxx.0/24’
but this doesn’t work. I cannot access any devices on the client’s LAN. How do I solve this problem? The client is running on a Windows laptop hanging off the LAN.
This is for site2site configuration and it’s not usefully for you.
If you can ping hosts of your lan configuration is ok.
You can configure Windows firewall to allow ping, rdp, files and folders sharing and other services.
What do you want to do about your lan clients and what devices are?
Here’s the full picture from end user perspective:
Site B is a remote location in Canada that is on a cellular LTE connection. The cellular provider has built a strange, double NAT network, where it’s impossible to open an inbound port and reach a host on the LAN. In fact, I can’t even ping the cellular modem WAN interface due to the double NAT. On the LAN side there is a fully remotable radio and a few pieces of equipment related to the radio. Last but not least, there is a smart TV (think Netflix 
).
The ultimate goal is to be able to use remotely the radio and watch a movie or two when in Canada.
However, since I can’t open inbound ports in Canada, I am creating the Wireguard server here at home in the US. The assumption is that Canada being the client will “call home” and the VPN tunnel will give me access to the ports I need to access the remote radio. As a bonus, when in Canada, I can watch my movies.
So Site A is mostly a straight Wireguard server on the typical residential home network. Accessing Site A LAN hosts remotely is not a must have requirement. But accessing the Site B LAN hosts in Canada is the absolute must.
Then Site C will be a friend who also wants to use my radio in Canada. The assumption is that he will VPN into Site A, which in turn will relay the traffic to Site B. Site C clients should not have any access to my home network at Site A. Ideally I don’t want Site C clients to push their general internet traffic via Site A as I don’t want to become their defacto ISP.
For now, while testing this, Site B is friend’s house. To simulate Canada, no inbound ports have been opened on the cable modem and WiFi router. The WG client is running on a Windows laptop on the home LAN, with plenty of non-Windows hosts available for ping.
I hope this helps.
Site2site A B by two GL.iNet router.
On site A WG server configured by GL.iNet gui and list subnet ‘192.168.xxx.0/24’ in config file.
On site B WG client configured by luci, WG interface in lan zone on firewall and subnet of side A and subnet of tunnel in allowed ips.
On site C WG client in Windows and io of radio and other devices in allowed ips.
Here’s what I have for now on n Site A:
root@GL-MV1000:/etc/config# cat wireguard_server
config servers
option local_ip '10.0.0.1'
option local_ipv6 'fd00:db8:0:abc::1'
option private_key 'gGfLZnWi4SAJNwXDYgpzC7Ahm451O1mmQPv='
option public_key 'Pmkf1yz6Hy1nt88ON26KRPzoDXFtGVMLFSq='
option access 'ACCEPT'
option local_port '5001'
option enable '1'
config peers ‘wg_peer_4234’
option name 'Rudy'
option client_key 'KAiq7SfCjaVyn50MH2OAdeQaQIeQMKA3na4q'
option private_key '2IXcAltNYNKKtrZrCVi85xBg8b2GFZOqHSjCU‘
option client_ip '10.0.0.2/32'
config peers ‘wg_peer_8022’
option name 'Mitko'
option client_key '2RUxKeGSQephEtyg7REwCAbtIr8yv+1j5rnY'
option private_key 'cJqCtYjy90hsg4VaoUVPzYdtDKuQ87vBdjOv‘
option client_ip '10.0.0.3/32'
list subnet '192.168.0.0/24'
root@GL-MV1000:/etc/config# wg show
interface: wg0
public key: Pmkf1yz6Hy1nt88ON26KRPzoDXFtGVMLFSq0
private key: (hidden)
listening port: 5001
peer: 2RUxKeGSQephEtyg7REwCAbtIr8yv+1j5rn
endpoint: 173.72.xxx.xxx:18538
allowed ips: 10.0.0.3/32, 192.168.0.0/24
latest handshake: 58 seconds ago
transfer: 98.29 KiB received, 359.25 KiB sent
persistent keepalive: every 25 seconds
peer: KAiq7SfCjaVyn50MH2OAdeQaQIeQMKA3na4q
endpoint: 24.185.xxx.xxx:43724
allowed ips: 10.0.0.2/32
latest handshake: 1 minute, 47 seconds ago
transfer: 43.30 KiB received, 369.91 KiB sent
persistent keepalive: every 25 seconds
Hi antifascista.
I’ve reset the MV1000 several times and tried to follow your instructions, but can’t get wireguard to work after converting WAN to LAN.
I stopped DHCP, changed the local IP address to be in line with local network, then changed WAN to be LAN.
I can connect the client, but can’t access the network. Tried adding wireguard to Lan zone, but it’s already there.
Also, you mention turning DNS on (not got to that part yet). Can I use Cloudflare DNS for this, or does it have to be one of the other DNS settings?
Cheers
In the box “covered networks” on wireguard firewall section you have to set “lan”.
Excellent - working now, thank you 
Regarding DNS, can I set that to Cloudflare as the DNS service before i enable adguard, and point my router to the MV1000’s ip address for DNS?
OK, working fine now. Really pleased.
Using CloudFlare (not Adguard) and pointing my internal network the MV1000 for DNS lookups.
VPN working too.
Thanks for all your help antifascista
I’m very happy for you.
Ok, now using AdGuard with Cloudflare as DNS. All working.
In case anyone at GL-Inet is reading this, in my opinion, a lot of people would really like to be able to do this…
(…a VPN Server on their home network sitting behind the ISP router… rather, use a GL device as a second router behind their main ISP router - to gain VPN access to their (or part of their) home network from remote locations… I believe that’s what Zibazb is describing.
For me, I I set it up as…
Internet
->ISP Router (192.168.22.1)
->Brume(192.168.23.1)
->NAS…
but I can’t seem to get the settings correct… Can anyone point me to a setup guide… I’ve tried so many ways… I’m not ever sure into which ports to plug the ethernet cables anymore… (i know, Im a mess)…
Any chance of doing a video explanation of this?
I (for one) would be very grateful.
If you want to use your Brume just as a VPN server and do not need the routing capabilities of it.
Just set it as an “Access Point” / “Bridge” in More Settings->Network Mode. To avoid confusions, set the WAN port as LAN port, too.
Make sure you correctly set up the NAT ports in your ISP Router and that should be it.
thanks for the input… i actually got it to work by removing the server, and reinstalling it fresh… I guess making so many changes messed up the configs or something… thanks for the help